index.js

'use strict';

var PromiseA;
try {
  PromiseA = require('bluebird');
} catch(e) {
  PromiseA = global.Promise;
}

const _defaultLogger = (...args) => {
  try {
    console.log(...args);
  }
  catch (err) {
    console.log('error while logging. this should not happen', err);
  }
};

const _reqToJson = req => {
  const { statusCode, headers, body } = req;
  return { statusCode, headers, bodyExists: !!body };
};

// opts.approveDomains(options, certs, cb)
module.exports.create = function (opts) {
  // accept all defaults for greenlock.challenges, greenlock.store, greenlock.middleware
  if (!opts._communityPackage) {
    opts._communityPackage = 'greenlock-express.js';
    opts._communityPackageVersion = require('./package.json').version;
  }
  const logger = !opts.debug ? function(){} : _defaultLogger;

  logger('initializing with options', opts);

  function explainError(e) {
    console.error('Error:' + e.message);
    if ('EACCES' === e.errno) {
      console.error("You don't have prmission to access '" + e.address + ":" + e.port + "'.");
      console.error("You probably need to use \"sudo\" or \"sudo setcap 'cap_net_bind_service=+ep' $(which node)\"");
      return;
    }
    if ('EADDRINUSE' === e.errno) {
      console.error("'" + e.address + ":" + e.port + "' is already being used by some other program.");
      console.error("You probably need to stop that program or restart your computer.");
      return;
    }
    console.error(e.code + ": '" + e.address + ":" + e.port + "'");
  }

  function _createPlain(plainPort) {
    if (!plainPort) { plainPort = 80; }

    var parts = String(plainPort).split(':');
    var p = parts.pop();
    var addr = parts.join(':').replace(/^\[/, '').replace(/\]$/, '');
    var args = [];
    var httpType;
    var server;
    var validHttpPort = (parseInt(p, 10) >= 0);

    logger('creating insecure server', { plainPort, parts, p, addr, validHttpPort });

    if (addr) { args[1] = addr; }
    if (!validHttpPort && !/(\/)|(\\\\)/.test(p)) {
      console.warn("'" + p + "' doesn't seem to be a valid port number, socket path, or pipe");
    }

    var fallbackHandler = opts.fallbackHandler || require('redirect-https')();
    server = require('http').createServer(
      greenlock.middleware.sanitizeHost((req, res) => {
        logger('insecure server received request', { req: _reqToJson(req) });
        greenlock.middleware(fallbackHandler)(req, res);
      })
    );
    httpType = 'http';

    return { server: server, listen: function () { return new PromiseA(function (resolve, reject) {
      args[0] = p;
      args.push(function () {
        if (!greenlock.servername) {
          if (Array.isArray(greenlock.approvedDomains) && greenlock.approvedDomains.length) {
            greenlock.servername = greenlock.approvedDomains[0];
          }
          if (Array.isArray(greenlock.approveDomains) && greenlock.approvedDomains.length) {
            greenlock.servername = greenlock.approvedDomains[0];
          }
        }
        if (!greenlock.servername) {
          resolve(null);
          return;
        }
        return greenlock.check({ domains: [ greenlock.servername ] }).then(function (certs) {
          if (certs) {
            return {
              key: Buffer.from(certs.privkey, 'ascii')
            , cert: Buffer.from(certs.cert + '\r\n' + certs.chain, 'ascii')
            };
          }
          console.info("Fetching certificate for '%s' to use as default for HTTPS server...", greenlock.servername);
          return new PromiseA(function (resolve, reject) {
            // using SNICallback because all options will be set
            greenlock.tlsOptions.SNICallback(greenlock.servername, function (err/*, secureContext*/) {
              if (err) { reject(err); return; }
              return greenlock.check({ domains: [ greenlock.servername ] }).then(function (certs) {
                resolve({
                  key: Buffer.from(certs.privkey, 'ascii')
                , cert: Buffer.from(certs.cert + '\r\n' + certs.chain, 'ascii')
                });
              }).catch(reject);
            });
          });
        }).then(resolve).catch(reject);
      });
      server.listen.apply(server, args).on('error', function (e) {
        if (server.listenerCount('error') < 2) {
          console.warn("Did not successfully create http server and bind to port '" + p + "':");
          explainError(e);
          process.exit(41);
        }
      });
    }); } };
  }

  function _create(port) {
    if (!port) { port = 443; }

    var parts = String(port).split(':');
    var p = parts.pop();
    var addr = parts.join(':').replace(/^\[/, '').replace(/\]$/, '');
    var args = [];
    var httpType;
    var server;
    var validHttpPort = (parseInt(p, 10) >= 0);

    logger('creating secure server', { port, parts, p, addr, validHttpPort });

    if (addr) { args[1] = addr; }
    if (!validHttpPort && !/(\/)|(\\\\)/.test(p)) {
      console.warn("'" + p + "' doesn't seem to be a valid port number, socket path, or pipe");
    }

    var https;
    try {
      https = require('spdy');
      greenlock.tlsOptions.spdy = { protocols: [ 'h2', 'http/1.1' ], plain: false };
      httpType = 'http2 (spdy/h2)';
    } catch(e) {
      https = require('https');
      httpType = 'https';
    }
    var sniCallback = greenlock.tlsOptions.SNICallback;
    greenlock.tlsOptions.SNICallback = function (domain, cb) {
      sniCallback(domain, function (err, context) {
        cb(err, context);
        if (!context || server._hasDefaultSecureContext) {
          return;
        }
        return greenlock.check({ domains: [ domain ] }).then(function (certs) {
          // ignore the case that check doesn't have all the right args here
          // to get the same certs that it just got (eventually the right ones will come in)
          if (!certs) { return; }
          if (server.setSecureContext) {
            // only available in node v11.0+
            server.setSecureContext({
              key: Buffer.from(certs.privkey, 'ascii')
            , cert: Buffer.from(certs.cert + '\r\n' + certs.chain, 'ascii')
            });
            console.info("Using '%s' as default certificate", domain);
          } else {
            console.info("Setting default certificates dynamically requires node v11.0+. Skipping.");
          }
          server._hasDefaultSecureContext = true;
        }).catch(function (e) {
          // this may be that the test.example.com was requested, but it's listed
          // on the cert for demo.example.com which is in its own directory, not the other
          console.warn("Unusual error: couldn't get newly authorized certificate:");
          console.warn(e);
        });
      });
    };
    if (greenlock.tlsOptions.cert) {
      server._hasDefaultSecureContext = true;
      if (greenlock.tlsOptions.cert.toString('ascii').split("BEGIN").length < 3) {
        console.warn("Invalid certificate file. 'tlsOptions.cert' should contain cert.pem (certificate file) *and* chain.pem (intermediate certificates) seperated by an extra newline (CRLF)");
      }
    }
    server = https.createServer(
      greenlock.tlsOptions
    , greenlock.middleware.sanitizeHost(function (req, res) {
        logger('secure server received request', { req: _reqToJson(req) });
        try {
          greenlock.app(req, res);
        } catch(e) {
          console.error("[error] [greenlock.app] Your HTTP handler had an uncaught error:");
          console.error(e);
          try {
            res.statusCode = 500;
            console.log("[Greenlock] HTTP exception logged for user-provided handler.");
            res.end("Internal Server Error");
          } catch(e) {
            // ignore
            // (headers may have already been sent, etc)
          }
        }
      })
    );
    server.type = httpType;

    return { server: server, listen: function () { return new PromiseA(function (resolve) {
      args[0] = p;
      args.push(function () { resolve(/*server*/); });
      server.listen.apply(server, args).on('error', function (e) {
        if (server.listenerCount('error') < 2) {
          console.warn("Did not successfully create http server and bind to port '" + p + "':");
          explainError(e);
          process.exit(41);
        }
      });
    }); } };
  }

  // NOTE: 'greenlock' is just 'opts' renamed
  var greenlock = require('greenlock').create(opts);

  if (!opts.app) {
    opts.app = function (req, res) {
      res.end("Hello, World!\nWith Love,\nGreenlock for Express.js");
    };
  }

  opts.listen = function (plainPort, port, fnPlain, fn) {
    var server;
    var plainServer;

    // If there is only one handler for the `listening` (i.e. TCP bound) event
    // then we want to use it as HTTPS (backwards compat)
    if (!fn) {
      fn = fnPlain;
      fnPlain = null;
    }

    var obj1 = _createPlain(plainPort, true);
    var obj2 = _create(port, false);

    plainServer = obj1.server;
    server = obj2.server;

    logger('servers created', { plainPort, port });

    server.then = obj1.listen().then(function (tlsOptions) {
      logger('secure server ready');
      if (tlsOptions) {
        if (server.setSecureContext) {
          // only available in node v11.0+
          server.setSecureContext(tlsOptions);
          console.info("Using '%s' as default certificate", greenlock.servername);
        } else {
          console.info("Setting default certificates dynamically requires node v11.0+. Skipping.");
        }
        server._hasDefaultSecureContext = true;
      }
      return obj2.listen().then(function () {
        logger('insecure server ready');
        // Report plain http status
        if ('function' === typeof fnPlain) {
          fnPlain.apply(plainServer);
        } else if (!fn && !plainServer.listenerCount('listening') && !server.listenerCount('listening')) {
          console.info('[:' + (plainServer.address().port || plainServer.address())
            + "] Handling ACME challenges and redirecting to " + server.type);
        }

        // Report h2/https status
        if ('function' === typeof fn) {
          fn.apply(server);
        } else if (!server.listenerCount('listening')) {
          console.info('[:' + (server.address().port || server.address()) + "] Serving " + server.type);
        }
      });
    }).then;

    server.unencrypted = plainServer;
    return server;
  };
  opts.middleware.acme = function (opts) {
    return greenlock.middleware.sanitizeHost(greenlock.middleware(require('redirect-https')(opts)));
  };
  opts.middleware.secure = function (app) {
    return greenlock.middleware.sanitizeHost(app);
  };

  return greenlock;
};